Microsoft Stream classic domain hijacked, causing spam across SharePoint

(Image credit: Shutterstock)

An old Microsoft Stream domain was recently hijacked
Many SharePoint sites with embedded videos displayed the malicious content
Microsoft quickly addressed the issue, so users should update now

A retired Microsoft domain was hijacked and used in a spam campaign, experts have warned.

Microsoft used to have an enterprise video-sharing platform called Stream, where organizations could securely upload, manage, and share video content. In April 2024, it was retired and replaced by Microsoft Stream on SharePoint.

The key difference is that the videos were no longer stored separately in the Stream platform, but rather on OneDrive and SharePoint, to make them more accessible through Microsoft 365 tools such as Teams, Yammer, or PowerPoint.

"Appropriate action"

Today, almost a year after the migration, news came out that the legacy domain - microsoftstream.com - was hijacked and used to display a fake Amazon site advertising a Thai casino.

The biggest issue with this attack is that all SharePoint sites with old embedded videos were displaying the spam on their premises.

BleepingComputer found a number of users complaining about the takeover on Reddit:

"This afternoon, a user reported a suspicious website on our intranet, that is using microsoftstream.com. After some analysis, it turns out the domain is currently redirecting to a sketchy website signed by 'Ibiza99'," one user said. "Here's an interesting one for you all. I just got a call that our SharePoint site was showing spam instead of embedded videos. Interesting, I thought. I wonder how that could happen," another one added.

No further information about the attack was shared, but Microsoft was soon notified about the change and it moved quickly to remedy the problem, stating, “We are aware of these reports and have taken appropriate action to further prevent access to impacted domains".

Apparently, the old domain could have been in more sinister campaigns, distributing malware through fake software updates, for example. However, good news is that the attackers opted for the least harmful thing - a spam campaign.

Massive online data breach sees 2.7 billion records leaked - here's what we know
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.